PT-2023-36349 · Unknown · @Graphql-Mesh/Cli+1

Ardatan

Publicado

2023-02-16

Atualizado

2025-02-20

CVE-2025-27098

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions @graphql-mesh/cli versions prior to 0.82.21 @graphql-mesh/http versions prior to 0.3.18

Description A missing check vulnerability in the static file handler allows any client to access files in the server's file system. When staticFiles is set in the serve settings in the configuration file, the handler doesn't check if absolutePath is still under the directory provided as staticFiles. This issue affects GraphQL Mesh, a framework and gateway for GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, and databases.

Recommendations

Update @graphql-mesh/cli to a version higher than 0.82.21.
If using @graphql-mesh/http, update it to a version higher than 0.3.18.
Remove the staticFiles option from the configuration and use other solutions to serve static files.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2025-27098

GHSA-J2WH-WRV3-4X4G

Produtos afetados

@Graphql-Mesh/Cli

@Graphql-Mesh/Http

PT-2023-36349 · Unknown · @Graphql-Mesh/Cli+1

CVE-2025-27098

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10